b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Irving A. Williamson, Vice Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n\x0cOFFICE OF\n       O INSPECTOR GENERAL\n\n\n\n\n       UNITED\n       U      STATES\n              S      INTERNA\n                     I     ATIONAL\n                                 L TRADE\n                                       E COMMIISSION\n\n                                    WASHINGT\n                                           TON, DC 204336\n\n\n\n       CTRONIC TRA\nVIA ELEC         ANSMISSION\n                          N\n\n\n\nApril 28,, 2011                                                          O\n                                                                         OIG-JJ-006\n\n\nChairman\n       n Okun:\n\nThis mem\n       morandum trransmits the Office of In   nspector Genneral\xe2\x80\x99s final rreport Auditt of Log\nManagemment OIG-AR-11-10. In     n finalizing th\n                                               he report, w\n                                                          we analyzed mmanagementt\xe2\x80\x99s\ncommentts on our draaft report and\n                                 d have includ ded those coomments in ttheir entiretyy in\nAppendix\n       x A.\n\nThis repoort contains three\n                      t     recommmendations for correctivve action. Inn the next 300 days,\nplease prrovide me wiith your man nagement deecisions desccribing the sppecific actioons that you\nwill take to implemen nt each recommendation n.\n\n       ou for the co\nThank yo           ourtesies exteended to my\n                                           y staff duringg this audit.\n\nSincerely\n        y,\n\n\n\nPhilip M. Heneghan\nInspectorr General\n\x0c\x0c                              U.S. International Trade Commission\n                                           Audit Report\n\n\n\nTable of Contents\nResults of Audit ............................................................................................. 1\n\nProblem Areas ............................................................................................... 2\n   Problem Area 1: Server, network, and security infrastructure is not being centrally\n   monitored with the Commission\xe2\x80\x99s designated Log Management tool. .......................... 2\n\n      Recommendation 1: Fully configure the Security Information and Event\n      Management (SIEM) tool to monitor all ITCNet infrastructure. ................................ 2\n\n   Problem Area 2: Log data is not being effectively used. ............................................... 3\n\n      Recommendation 2: Configure the SIEM tool to provide reporting to groups\n      responsible for the operations of workstations, applications, databases, servers,\n      security, and network management............................................................................. 4\n\n   Problem Area 3: Clock synchronization is not fully implemented on ITCNet. ............ 4\n\n      Recommendation 3: Configure all ITCNet devices to synchronize with a central\n      time source. ................................................................................................................. 5\n\nManagement Comments and Our Analysis ............................................... 5\n\nObjective, Scope, and Methodology ............................................................ 6\n\nAppendix A: Management Comments on Draft Report .......................... a\n\n\n\n\nOIG-AR-11-10                                                   -i-\n\x0c\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n\n                                  Results of Audit\nThe objective of this audit was to determine:\n\n       Are system logs configured and monitored in a way that adds value to the\n       operation of ITCNet?\n\nNo, the ITC has not configured its systems logs in a way that adds value to the operation\nof ITCNet.\n\nNetwork devices such as workstations, servers, and firewalls create logs listing\ninformation about operational actions as they occur. This information can include the\nwho, what, when, where, why, and how of the following types of data:\n\n   \xc6\x94   Success or failure of login attempts;\n   \xc6\x94   Permission changes;\n   \xc6\x94   Unusual system loads;\n   \xc6\x94   Resource access (suspicious and otherwise);\n   \xc6\x94   Changes in system performance; and\n   \xc6\x94   System and application errors.\n\nThe hundreds of devices on ITCNet can potentially generate millions of logged events\nper day, requiring the use of an automated program to collect, analyze, and efficiently\ndistribute this data to the groups responsible for managing these systems. If the logged\ndata does not get to the right people at the right time\xca\x8alogging is of limited value.\n\nA log management program adds the most value by collecting log data from all\ninfrastructure devices, including firewalls, application servers, authentication devices,\nand network equipment. This program would be designed from the ground up with input\nfrom multiple groups, including server operations, network management, database and\napplication administrators, desktop support, network security administrators, and IT\nmanagement. The program would monitor for both minor and severe incidents, storing\naggregate data on each, and report instantly to the respective responsible groups for\nimmediate corrective action. These groups would maintain access to the tools available\nin this program so that reports can be run on demand in order to gain an understanding of\ncurrent and historical activity.\n\nITC currently has numerous tools in place to collect and analyze logs. One tool collects\ndata about network traffic, analyzes this data to detect intrusions, and reports this\ninformation to one network security engineer. Another tool collects data from\nworkstations, firewalls, the core switch, and a couple of servers, and reports this data to\nanother network security specialist. Still more tools exist that collect performance\nmetrics system status from a collection of servers and the core switch, reporting this data\nto different operational staff.\n\n\nOIG-AR-11-10                               -1-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n\nITC possesses a number of tools, but it lacks a coherent log management program with a\ncomprehensive view of logs from all servers, security, and network devices, that provides\nuseful and timely information to all operational groups responsible for the upkeep of\nITC\xe2\x80\x99s systems.\n\nDuring the course of this audit, we identified three problem areas. First, the\nCommission\xe2\x80\x99s Security Information and Event Management tool has not been configured\nto monitor the whole of ITCNet infrastructure, greatly limiting its value. Second,\nalthough this tool is configured to monitor workstations, information being gathered by\nthe tool is not being reported to operational staff, further reducing the value of its\nimplementation. Finally, the clocks on all ITCNet devices are not synchronized, making\nit difficult to correlate events affecting multiple devices.\n\n\n\n\n                                   Problem Areas\n\n                                 Problem Area 1:\n Server, network, and security infrastructure is not being centrally monitored with\n              the Commission\xe2\x80\x99s designated Log Management tool.\n\n\nThe USITC invested in a Security Information and Event Management tool to perform\nautomated log collection, analysis, and reporting of events network-wide on ITCNet.\nWith the exception of two servers, at the time of the audit the system was only shown to\nbe monitoring workstations on ITCNet, and was not configured to monitor the whole of\nthe server, network, and security infrastructure.\n\nNetworked computer devices are capable of producing detailed logs of system activity.\nDepending on the capabilities of each device, these logs can record tens of thousands of\nevents per day, making it impossible for a human to read, much less analyze, these\nevents. For this reason, organizations implement automated systems to capture, analyze,\nand report on this log data.\n\nITC will not be fully aware of events happening across its server, security, and network\ninfrastructure until its SIEM tool is configured to effectively monitor all devices in the\nITCNet infrastructure.\n\nRecommendation 1:\n\nFully configure the Security Information and Event Management (SIEM) tool to monitor\nall ITCNet infrastructure.\n\n\n\nOIG-AR-11-10                                -2-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n\n                                   Problem Area 2:\n                         Log data is not being effectively used.\n\n\nThe output of an effective log management system is the communication of useful\ninformation to responsible parties. On ITCNet, we found repeated errors being logged on\nevery workstation we examined. An effective log management system would have\nidentified and reported this as a problem for resolution by operational staff.\n\nAll devices on the USITC network are capable of generating logs of events. These logs\ncan identify a range of events, including configuration changes, hacking attempts, and\nmisconfigured software.\n\nAll USITC workstations running Microsoft Windows XP maintain an Application event\nlog that stores event data related to applications. Anyone can view this log by performing\nthe following steps:\n\n1.     Right-click \xe2\x80\x9cMy Computer\xe2\x80\x9d;\n2.     Click \xe2\x80\x9cManage\xe2\x80\x9d;\n3.     On the left side, click \xe2\x80\x9cEvent Viewer\xe2\x80\x9d;\n4.     Double-click \xe2\x80\x9cApplication\xe2\x80\x9d in the right pane; and\n5.     The pane changes to show a number of events regarding applications on the PC.\n\nIn one example, over a 24 hour span, a single workstation logged 122 errors with the\nsource of \xe2\x80\x9ccrypt32\xe2\x80\x9d, with two different messages as follows:\n\n\xc6\x94      Failed extract of third-party root list from auto update cab at:\n       <http://www.download.windowsupdate.com/msdownload/update/v3/static/trusted\n       r/en/authrootstl.cab> with error: A required certificate is not within its validity\n       period when verifying against the current system clock or the timestamp in the\n       signed file; and\n\n\xc6\x94      Failed auto update retrieval of third-party root list sequence number from:\n       <http://www.download.windowsupdate.com/msdownload/update/v3/static/trusted\n       r/en/authrootseq.txt> with error: This network connection does not exist.\n\nThe severity and impact of logged events vary. These specific errors indicate that the\nworkstation is misconfigured for ITC\xe2\x80\x99s network, and is repeatedly trying and failing to\nperform a specific operation. In this case, users are most likely not impacted by this\nerror, but this type of event ends up filling the logs, making it more difficult to find other\nmore pertinent events when troubleshooting system problems. A review of two other\nworkstations online since last year found the following errors related to crypt32:\n\n\n\n\nOIG-AR-11-10                                 -3-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n       \xc6\x94       Workstation 1: 54,482 of 61,226 (89%) total events between 5/28/2010\n               and 3/4/2011 (195 per day); and\n       \xc6\x94       Workstation 2: 78,645 of 86,521 (91%) total events between 6/2/2010 and\n               3/4/2011 (286 per day).\n\nA simple configuration change is all that is required to resolve the cause of these errors\nand to stop the clogging of workstation Application logs. An effective log management\nprogram would report that an event is occurring as often as 80,000 times per day across\nITC\xe2\x80\x99s 400 workstations, and this information could then be used to prioritize resources\nfor resolving such common and easily solved problems.\n\nThe log management program is not effectively reporting common system errors to\nresponsible operational groups, resulting in the delayed resolution of system errors.\n\nRecommendation 2:\n\nConfigure the SIEM tool to provide reporting to groups responsible for the operations of\nworkstations, applications, databases, servers, security, and network management.\n\n\n\n                                 Problem Area 3:\n             Clock synchronization is not fully implemented on ITCNet.\n\n\nIn a review of 10 ITCNet devices, we found that the clocks of half of them were not\nsynchronized.\n\nTo understand and correlate the events taking place on a network, it is more important to\nhave a consistent \xe2\x80\x9cITCNet time\xe2\x80\x9d than the \xe2\x80\x9ccorrect time,\xe2\x80\x9d (but these are not mutually\nexclusive). All network devices maintain a system clock, which is used as a timestamp\nwhen logging events on that device. This synchronized system clock is a core\nrequirement for network analysis and forensics. In order to correlate an incident that\naffects multiple systems, clocks on all systems must have the same time.\n\nTo maintain clock synchronization on a network, two things are required:\n\n   1. A central time server; and\n   2. Configuration of each device to set its time to that central time server using\n       Network Time Protocol (NTP).\n\nITCNet does have a central time server, and some systems are synchronizing their clocks\nwith this server. Visible evidence of this is that the clocks are synchronized across two\n\n\n\n\nOIG-AR-11-10                               -4-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\ncompletely different systems: workstations and desk phones, both of which synchronize\nwith the central time server.\n\nIn our survey of 10 infrastructure devices, including servers, switches, routers, and\nfirewalls, only five were found to share the same time. The five devices that didn\xe2\x80\x99t have\n\xe2\x80\x9cITCNet time\xe2\x80\x9d were not configured to synchronize with the central time server.\n\nWe found that while USITC has implemented a time source for the network, not all\nsystems are configured to synchronize with this central time source.\n\nRecommendation 3:\n\nConfigure all ITCNet devices to synchronize with a central time source.\n\n\n\n\n              Management Comments and Our Analysis\n\nOn April 19th, 2011, Chairman Deanna Tanner Okun provided management comments to\nthe draft audit report. The Chairman agreed that there are deficiencies in the\nCommission\xe2\x80\x99s Log Management Program that need to be corrected improve its\neffectiveness.\n\nBased on the recommendations we made in our draft report, the Office of the CIO has\nresolved the issues with clock synchronization, and has added systems to the\ninfrastructure being monitored.\n\n\n\n\nOIG-AR-11-10                               -5-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\n\n                    Objective, Scope, and Methodology\nObjective:\n\n\xe2\x80\x9cAre system logs configured and monitored in a way that adds value to the operation of\nITCNet?\xe2\x80\x9d\n\nScope:\n\nThis audit focused on the operational management of logs created on USITC systems as\nof February 7th, 2011 with a primary focus on the logging capabilities of critical\ninfrastructure, including Active Directory Domain controllers, authentication devices,\nnetwork infrastructure, security device infrastructure, and other devices critical to the\ncore functions of USITC.\n\nMethodology:\n\na. Interview program staff responsible for logging.\nb. Interview operational staff receiving logs.\nc. Collect inventory of network infrastructure devices.\nd. Identify primary log management system in use.\ne. Assess log management status of core infrastructure.\nf. Identify and analyze logging on Active Directory authentication servers.\ng. Review logging capabilities of RSA authentication servers.\nh. Identify existing network time protocol server(s).\ni. Assess time synchronization of infrastructure devices with the network time protocol\n   server(s).\nj. Review syslog settings of devices forwarding to primary log management system.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-10                               -6-\n\x0c                U.S. In\n                      nternation\n                               nal Trade Commission\n                             Apppendix A\n\n\n    Appendix A: Ma\n                 anagemeent Comm\n                               ments on\n                                      n Draft Report\n\n\n\n\nOIG--AR-11-10\n\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'